Researchers discovered a security issue affecting Microsoft Office that could allow remote code execution attacks. The vulnerability caught the attention as a zero-day as researchers noticed it under attack, targeting Microsoft Office apps.
Microsoft Office Zero-Day
A security researcher with the alias crazymanarmy from the Shadow Chaser Group recently reported a serious Microsoft Office vulnerability. Exploiting the vulnerability via maliciously crafted Office files like Word documents allows an adversary to wage a remote code execution attack.
Following this disclosure, an independent cybersecurity research team named “nao_sec” labeled this Microsoft Office vulnerability as a zero-day. A malicious Word file submission from Belarus on VirusTotal depicts that the threat actors had already exploited the flaw.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
In addition, numerous other researchers also analyzed the vulnerability to share the exploit details. Dubbing it “Follina”, the researcher Kevin Beaumont shared a detailed write-up elaborating on how a malicious Word document in the wild missed Microsoft Defender for Endpoint detection.
Beaumont also highlighted how the attack existed in the wild since April, involving numerous Russian threat actors. Likewise, the researcher Will Dormann also shared a detailed thread on Twitter elaborating on the exploit.
Although, according to Beaumont, Microsoft knew of the vulnerability earlier, however, the tech giant didn’t consider it an issue. Yet, the Redmond giant has now acknowledged the vulnerability officially.
Describing the vulnerability in an explanatory blog post, Microsoft stated,
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
This vulnerability has received the identification ID CVE-2022-30190. Microsoft labeled it as a high-severity vulnerability that attained a CVSS score of 7.8.
Currently, no permanent fix for the vulnerability exists. However, the tech giant has shared a workaround to avoid exploits that involves disabling the MSDT URL Protocol.
In addition, Dormann advises users to disable the “Preview” pane in Windows Explorer since it adds to the exploit. He demonstrated such an attack in a short video.
The important difference is that this variant still works.
Let's look at the preview pane attack vector, like we did for CVE-2021-40444 since that one is more fun. Protected View be damned!
Here is Office 2019 on Win10, both with May 2022 updates. pic.twitter.com/t20bTnZpxG
— Will Dormann (@wdormann) May 30, 2022
Besides, Microsoft confirms strengthening its Defender Antivirus to detect and prevent the threat with the following signatures.
- Trojan:Win32/Mesdetty.A (blocks msdt command line)
- Trojan:Win32/Mesdetty.B (blocks msdt command line)
- Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
- Trojan:Win32/MesdettyScript.A (to detect HTML files that contain msdt suspicious command being dropped)
- Trojan:Win32/MesdettyScript.B (to detect HTML files that contain msdt suspicious command being dropped)
Let us know your thoughts in the comments.